Opt-In vs Opt-Out: Differences, Examples and Best Practices

With the advent of data protection laws like GDPR and CCPA, the concept of opt-in and opt-out has gained a lot of significance over the past few years. You cannot collect, share or use people’s data without their consent unless for reasons that have other lawful bases.

We will discuss what opt-in and opt-out mean and when and how to use them for data processing.

Opt-in

The meaning of opt-in is to give permission or accept something. In other words, it is an affirmative action of giving or asking for user consent. 

You must be familiar with websites using checkboxes for users to agree to terms and conditions. It is an example of opt-in. Users can register their consent to the request by ticking the box.

In the opt-in model, you cannot collect or use user data unless the users give their permission.

There are often many requirements associated with opt-in consent. Consent is only valid when it meets the following conditions:

• Freely given: Users were not forced to give their consent using terms and conditions or deceptive design or UI.
• Informed: Users were informed of how their data will be used when they give consent.
• Specific: Consent for different purposes for collecting personal data is not bundled as one but requires users to opt-in for them separately.
• Unambiguous: Users had an explicit way to express their agreement, such as ticking a checkbox or clicking a button.
• Documented: Businesses must keep detailed records of consent to demonstrate compliance with legal requirements.

Laws like GDPR and LGPD follow the opt-in approach for personal data processing.

Opt-out

The meaning of opt-out is to refuse permission or cancel something. In other words, it is an act of refusing or withdrawing consent in response to a particular event or process. 

In the opt-out model, it is presumed that users agree to the collection or use of their data. They can stop this by using the opt-out option.

Key characteristics of opt-out consent include:

• Default inclusion unless explicitly declined.
• Requires businesses to provide easy and accessible mechanisms for users to withdraw their consent.
• Relies heavily on user action to reduce the risk of non-compliance.
• Suitable for regions or laws with less stringent consent requirements.

US laws like CPRA and VCDPA follow the opt-out approach.

Opt-in example

Opt-in is obtained for several purposes, like subscribing to newsletters, agreeing to terms and conditions, permission to save user details, consent to use cookies, etc. 

One common example is checkboxes in forms. Companies ask permission from users to share or use the data they enter in the form for purposes like email marketing or advertisements.

Spotify uses an opt-in registration form to ask for users’ consent to share their registration data for marketing and cross-border transfer. Users can express their agreement by ticking the checkbox.

Opt-out example

Not choosing to subscribe to newsletters, unticking a previously ticked checkbox, not consenting to save personal details, rejecting the use of cookies, etc. are some examples of opt-out.

E.g. Companies add an unsubscribe link at the end of their emails to let users opt out of emails. When users click the link, it will remove their emails from the company’s email marketing list.

Cookies perhaps occupy the top position in all discussions on opt-in and opt-out, thanks to data protection laws like ePrivacy Directive and GDPR. These laws regulate the use of cookies by making opt-in and opt-out consent models mandatory requirements.

E.g. if your website uses cookies that track the personal data of users, you must get their consent to do so before placing the cookies on their devices. You must also provide them the option to reject cookies or withdraw consent in case they opted in and want to opt out later.

Additionally, you must provide clear and precise information about cookies (including strictly necessary cookies) and their purpose when users visit a website. This will help them make an informed decision about whether to opt in or opt out of the use of cookies.

One of the major decisions around the consent regarding cookies was firmly established after the CJEU-Plant49 judgment. 

The judgment stated that the users’ opt-in obtained through pre-ticked checkboxes is no longer valid. Also, you cannot bundle multiple consent requests as one. They should be kept separate. The third point of the judgment said that the users must be aware of all the details about the cookies and what consenting to use them will mean. Knowledge of such information will make the decision easy and clear for them.

Opt-in and opt-out on cookies are generally implemented using cookie consent tools.

CPRA supports the opt-out model where you don’t have to include any option for opt-in. However, a good rule of thumb is that you should use a hybrid model, i.e. provide opt-in and opt-out options.

Here is one example of a cookie consent banner that has both opt-in and opt-out buttons.

Let’s look at some cases with examples where you should use opt-in options and how to implement each of them.

#1 When you collect personal data of people in the EU

… and when none of the below legal bases of processing applies:

• Contractual Obligation
• Legal Obligation
• Legitimate Interest
• Vital Interest
• Public Interest

How: For asking for consent, you can choose one of the opt-in methods:

• Paper form
• Opt-in boxes on paper or electronically
• Opt-in buttons or links
•  Yes/No options
• Technical settings or preference dashboard settings
• Emails requesting consent
• Oral consent requests
• Volunteering optional information for a specific purpose

#2 When you collect personal data from minors

If you require to collect the personal data of minors, you need parental consent.

How: Parental consent using any of the opt-in methods mentioned above.

#3 When you use third-party cookies.

You need explicit consent from users in such a case. A simple and clear opt-in option must be provided to them. 

How: The opt-in option here can be implemented using cookie consent banners. 

#4 When you require email addresses for newsletters and marketing purposes

Often, you may require consent to collect and store the email addresses of users to send newsletters or marketing emails.

How: Some of the ways you can implement the opt-in options are:

• Checkboxes at the end of forms
• Website footer
• First email (note that unless they opt-in for the subscription, you cannot send any more emails)

#1 When you use personal data for various purposes (lawful bases)

Users have the right to reject permission to collect or process their data if they deem it right. You are supposed to temporarily terminate the processing of data or delete the data in such cases. 

How: A contact point or link to submit consent opt-out requests.

#2 When you collect personal data from California residents

Per the California Privacy Rights Act (CCPA’s amended version), websites must provide California consumers the right to opt out of having their personal data sold or shared with third parties.

How: Add a “Do Not Sell or Share My Personal Information” link on the website, which will take them to settings or pages where they can confirm their choice.

#3 When you use cookies (especially third-party cookies) for analytical and advertising purposes

Users must be able to withdraw or reject the usage of cookies should they deem it right.

How: Cookie banners must have a reject option or link to manage cookies where they can choose what type of cookie they do not want to be stored on their device.

#4 When You send emails to your users

At any point, if the users feel like they no more want to receive any content on their email addresses, they should be able to unsubscribe.

How: Include an easily accessible unsubscribe link in the emails or on the website.